test: Assert application password extras functionality

Author: dcalhoun

projects/plugins/jetpack/tests/php/_inc/lib/Jetpack_Application_Password_Extras_Test.php

@@ -0,0 +1,152 @@
+<?php
+/**
+ * Tests for Jetpack_Application_Password_Extras class
+ *
+ * @package automattic/jetpack
+ */
+
+use PHPUnit\Framework\Attributes\CoversClass;
+
+require_once JETPACK__PLUGIN_DIR . '/tests/php/lib/Jetpack_REST_TestCase.php';
+require_once JETPACK__PLUGIN_DIR . '/_inc/lib/class-jetpack-application-password-extras.php';
+
+/**
+ * Class Jetpack_Application_Password_Extras_Test
+ *
+ * @covers \Jetpack_Application_Password_Extras
+ */
+#[CoversClass( Jetpack_Application_Password_Extras::class )]
+class Jetpack_Application_Password_Extras_Test extends Jetpack_REST_TestCase {
+
+	/**
+	 * Mock user ID.
+	 *
+	 * @var int
+	 */
+	private static $user_id = 0;
+
+	/**
+	 * Create shared database fixtures.
+	 *
+	 * @param WP_UnitTest_Factory $factory Fixture factory.
+	 */
+	public static function wpSetUpBeforeClass( $factory ) {
+		static::$user_id = $factory->user->create( array( 'role' => 'administrator' ) );
+	}
+
+	/**
+	 * Setup the environment for a test.
+	 */
+	public function set_up() {
+		parent::set_up();
+		wp_set_current_user( static::$user_id );
+	}
+
+	/**
+	 * Tear down the environment after a test.
+	 */
+	public function tear_down() {
+		parent::tear_down();
+		unset( $_GET['p'] );
+		unset( $_GET['page_id'] );
+		unset( $GLOBALS['wp_current_filter'] );
+	}
+
+	/**
+	 * Test that init method registers the hook correctly.
+	 */
+	public function test_init_registers_hook() {
+		remove_all_filters( 'application_password_is_api_request' );
+		Jetpack_Application_Password_Extras::init();
+
+		$this->assertNotFalse(
+			has_filter( 'application_password_is_api_request', array( 'Jetpack_Application_Password_Extras', 'application_password_extras' ) ),
+			'Hook should be registered'
+		);
+	}
+
+	/**
+	 * Test that non-matching requests preserve original false value.
+	 */
+	public function test_non_matching_request_preserves_original_false_value() {
+		set_current_screen( 'dashboard' );
+
+		$result = Jetpack_Application_Password_Extras::application_password_extras( false );
+		$this->assertFalse( $result, 'Should preserve false when not in matching context' );
+	}
+
+	/**
+	 * Test that non-matching requests preserve original true value.
+	 */
+	public function test_non_matching_request_preserves_original_true_value() {
+		set_current_screen( 'dashboard' );
+
+		$result = Jetpack_Application_Password_Extras::application_password_extras( true );
+		$this->assertTrue( $result, 'Should preserve true when not in matching context' );
+	}
+
+	/**
+	 * Test that admin-ajax requests are allowed.
+	 */
+	public function test_admin_ajax_request_allowed() {
+		set_current_screen( 'dashboard' );
+		add_filter( 'wp_doing_ajax', '__return_true' );
+
+		$result = Jetpack_Application_Password_Extras::application_password_extras( false );
+
+		remove_filter( 'wp_doing_ajax', '__return_true' );
+
+		$this->assertTrue( $result, 'Result should be true' );
+	}
+
+	/**
+	 * Test that post preview requests are allowed.
+	 */
+	public function test_post_preview_request_allowed() {
+		$_GET['p'] = '123';
+
+		$result = Jetpack_Application_Password_Extras::application_password_extras( false );
+
+		$this->assertTrue( $result, 'Post preview requests should be allowed' );
+	}
+
+	/**
+	 * Test that page preview requests are allowed.
+	 */
+	public function test_page_preview_request_allowed() {
+		$_GET['page_id'] = '456';
+
+		$result = Jetpack_Application_Password_Extras::application_password_extras( false );
+
+		$this->assertTrue( $result, 'Page preview requests should be allowed' );
+	}
+
+	/**
+	 * Test multiple conditions at once.
+	 */
+	public function test_multiple_conditions_prioritize_first_match() {
+		set_current_screen( 'dashboard' );
+		add_filter( 'wp_doing_ajax', '__return_true' );
+		$_GET['p'] = '123';
+
+		$result = Jetpack_Application_Password_Extras::application_password_extras( false );
+
+		remove_filter( 'wp_doing_ajax', '__return_true' );
+
+		$this->assertTrue( $result, 'Should return true when any condition matches' );
+	}
+
+	/**
+	 * Test that get_abilities returns all expected abilities.
+	 */
+	public function test_get_abilities_complete() {
+		$abilities = Jetpack_Application_Password_Extras::get_abilities();
+
+		$expected_abilities = array(
+			'admin-ajax'    => true,
+			'post-previews' => true,
+		);
+
+		$this->assertEquals( $expected_abilities, $abilities, 'get_abilities should return all expected abilities' );
+	}
+}

projects/plugins/jetpack/tests/php/core-api/wpcom-endpoints/WPCOM_REST_API_V2_Endpoint_Application_Password_Extras_Test.php

@@ -0,0 +1,217 @@
+<?php
+/**
+ * Tests for /wpcom/v2/application-password-extras endpoints.
+ *
+ * @package automattic/jetpack
+ */
+
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\DataProvider;
+use WpOrg\Requests\Requests;
+
+require_once dirname( __DIR__, 2 ) . '/lib/Jetpack_REST_TestCase.php';
+require_once JETPACK__PLUGIN_DIR . '/_inc/lib/class-jetpack-application-password-extras.php';
+
+/**
+ * Class WPCOM_REST_API_V2_Endpoint_Application_Password_Extras_Test
+ *
+ * @covers \WPCOM_REST_API_V2_Endpoint_Application_Password_Extras
+ */
+#[CoversClass( WPCOM_REST_API_V2_Endpoint_Application_Password_Extras::class )]
+class WPCOM_REST_API_V2_Endpoint_Application_Password_Extras_Test extends Jetpack_REST_TestCase {
+
+	/**
+	 * Mock user ID.
+	 *
+	 * @var int
+	 */
+	private static $user_id = 0;
+
+	/**
+	 * Mock editor user ID.
+	 *
+	 * @var int
+	 */
+	private static $editor_id = 0;
+
+	/**
+	 * Create shared database fixtures.
+	 *
+	 * @param WP_UnitTest_Factory $factory Fixture factory.
+	 */
+	public static function wpSetUpBeforeClass( $factory ) {
+		static::$user_id   = $factory->user->create( array( 'role' => 'administrator' ) );
+		static::$editor_id = $factory->user->create( array( 'role' => 'editor' ) );
+	}
+
+	/**
+	 * Setup the environment for a test.
+	 */
+	public function set_up() {
+		parent::set_up();
+
+		// Initialize the class to ensure it's available
+		Jetpack_Application_Password_Extras::init();
+
+		wp_set_current_user( static::$user_id );
+	}
+
+	/**
+	 * Test that routes are registered correctly.
+	 */
+	public function test_routes_registered() {
+		$routes = rest_get_server()->get_routes();
+
+		$this->assertArrayHasKey( '/wpcom/v2/application-password-extras/abilities', $routes );
+		$this->assertArrayHasKey( '/wpcom/v2/application-password-extras/admin-ajax', $routes );
+		$this->assertArrayHasKey( '/wpcom/v2/application-password-extras/post-previews', $routes );
+	}
+
+	/**
+	 * Test permission check for unauthenticated users.
+	 */
+	public function test_unauthenticated_user_cannot_access_abilities() {
+		wp_set_current_user( 0 );
+
+		$request  = new WP_REST_Request( Requests::GET, '/wpcom/v2/application-password-extras/abilities' );
+		$response = $this->server->dispatch( $request );
+
+		$this->assertErrorResponse( 'rest_forbidden', $response, 401 );
+		$data = $response->get_data();
+		$this->assertEquals( 'Sorry, you must be logged in to access this endpoint.', $data['message'] );
+	}
+
+	/**
+	 * Test permission check for authenticated users.
+	 */
+	public function test_authenticated_user_can_access_abilities() {
+		wp_set_current_user( static::$user_id );
+
+		$request  = new WP_REST_Request( Requests::GET, '/wpcom/v2/application-password-extras/abilities' );
+		$response = $this->server->dispatch( $request );
+
+		$this->assertEquals( 200, $response->get_status() );
+	}
+
+	/**
+	 * Test that get_abilities endpoint returns correct data.
+	 */
+	public function test_get_abilities_endpoint_returns_correct_data() {
+		wp_set_current_user( static::$user_id );
+
+		$request  = new WP_REST_Request( Requests::GET, '/wpcom/v2/application-password-extras/abilities' );
+		$response = $this->server->dispatch( $request );
+		$data     = $response->get_data();
+
+		$this->assertEquals( 200, $response->get_status() );
+		$this->assertIsArray( $data );
+		$this->assertArrayHasKey( 'admin-ajax', $data );
+		$this->assertArrayHasKey( 'post-previews', $data );
+		$this->assertTrue( $data['admin-ajax'] );
+		$this->assertTrue( $data['post-previews'] );
+	}
+
+	/**
+	 * Data provider for endpoint tests
+	 *
+	 * @return array
+	 */
+	public static function endpoint_provider() {
+		return array(
+			'abilities endpoint'     => array( '/wpcom/v2/application-password-extras/abilities' ),
+			'admin-ajax endpoint'    => array( '/wpcom/v2/application-password-extras/admin-ajax' ),
+			'post-previews endpoint' => array( '/wpcom/v2/application-password-extras/post-previews' ),
+		);
+	}
+
+	/**
+	 * Test that all endpoints work correctly for authenticated users.
+	 *
+	 * @dataProvider endpoint_provider
+	 * @param string $endpoint The endpoint to test.
+	 */
+	#[DataProvider( 'endpoint_provider' )]
+	public function test_endpoints_work_for_authenticated_users( $endpoint ) {
+		wp_set_current_user( static::$user_id );
+
+		$request  = new WP_REST_Request( Requests::GET, $endpoint );
+		$response = $this->server->dispatch( $request );
+		$data     = $response->get_data();
+
+		$this->assertEquals( 200, $response->get_status() );
+		$this->assertIsArray( $data );
+		$this->assertArrayHasKey( 'admin-ajax', $data );
+		$this->assertArrayHasKey( 'post-previews', $data );
+	}
+
+	/**
+	 * Test that all endpoints require authentication.
+	 *
+	 * @dataProvider endpoint_provider
+	 * @param string $endpoint The endpoint to test.
+	 */
+	#[DataProvider( 'endpoint_provider' )]
+	public function test_endpoints_require_authentication( $endpoint ) {
+		wp_set_current_user( 0 );
+
+		$request  = new WP_REST_Request( Requests::GET, $endpoint );
+		$response = $this->server->dispatch( $request );
+
+		$this->assertErrorResponse( 'rest_forbidden', $response, 401 );
+	}
+
+	/**
+	 * Test that editor users can access abilities.
+	 */
+	public function test_editor_can_access_abilities() {
+		wp_set_current_user( static::$editor_id );
+
+		$request  = new WP_REST_Request( Requests::GET, '/wpcom/v2/application-password-extras/abilities' );
+		$response = $this->server->dispatch( $request );
+
+		$this->assertEquals( 200, $response->get_status() );
+		$data = $response->get_data();
+		$this->assertIsArray( $data );
+	}
+
+	/**
+	 * Test that only GET requests are allowed.
+	 */
+	public function test_only_get_requests_allowed() {
+		wp_set_current_user( static::$user_id );
+
+		$disallowed_methods = array(
+			Requests::POST,
+			Requests::PUT,
+			Requests::DELETE,
+			Requests::PATCH,
+		);
+
+		foreach ( $disallowed_methods as $method ) {
+			$request  = new WP_REST_Request( $method, '/wpcom/v2/application-password-extras/abilities' );
+			$response = $this->server->dispatch( $request );
+
+			// Routes that don't support a method typically return 404 (not found) in WordPress REST API
+			$this->assertContains(
+				$response->get_status(),
+				array( 404, 405 ),
+				"Method $method should not be allowed (status should be 404 or 405)"
+			);
+		}
+	}
+
+	/**
+	 * Test response headers are set correctly.
+	 */
+	public function test_response_headers() {
+		wp_set_current_user( static::$user_id );
+
+		$request  = new WP_REST_Request( Requests::GET, '/wpcom/v2/application-password-extras/abilities' );
+		$response = $this->server->dispatch( $request );
+
+		$headers = $response->get_headers();
+
+		// Standard REST API headers should be present
+		$this->assertIsArray( $headers );
+	}
+}